| DATASHEET 
TREND. 
1C RO 


Trend Micro 


CLOUD ONE” - CONTAINER SECURITY 


Continuous protection for your container images and registries, automated within your CI/CD pipeline 


Cloud-first application development strategies are becoming more prevalent amongst 
companies looking to improve the speed of deployment and cohesive application 
ecosystems. However, today's organizations find it hard to manage traditional security : 
solutions with those required by DevOps teams and business units, as they operate with =o 
different resources and priorities. On top of that, monolithic approaches to application : 
development are changing how organizations look to transition to cloud, container, and 

serverless platforms. 


Key Advantages 


Prevent exploits prior to runtime 


Protect against malware, 
vulnerabilities, and secrets with build- 
ime and registry scanning of container 
images. Ensure threats are detected 
before applications are deployed. 











The IT analyst and research firm, ESG, recently conducted a survey that indicated 39% of Protection optimized for DevOps 


companies are deploying a cloud-first strategy, whereby new applications are only to be > * 
built using public cloud services—unless there is a compelling case to deploy on-premises. : 


mplement frictionless security early 
in the CI/CD workflow with security 
as code and automated protection 
hat won't slow down your DevOps 
processes. 

















With production workloads shifting to cloud-native platforms and DevOps teams adopting 
security best practices across their build pipelines and cloud-native applications, security 
solutions need to be designed to succeed across environments (physical, virtual, cloud, 
containers, and serverless). This provides synergy between IT security and DevOps 
practices. It also promotes tool consolidation and collaboration of security and compliance 
requirements, without interfering in continuous implementation/continuous delivery (CI/CD) 


development cycles. 





Full life cycle container protection 





* Trend Micro Cloud One™ - Workload 
Security complements Container 
Security, providing leading runtime 
container protection for full life cycle 
security of you container. 














Trend Micro Cloud One™ - Container Security* delivers automated build pipeline container 
image and registry scanning. Designed for developers and operations teams, Container 
Security enables earlier and faster detection of malware, secrets/keys, compliance 
violations, and vulnerabilities, including those found in open-source code dependencies. 
Additionally, Container Security provides the ability to detect threats in package manager 
installed apps, as well as direct installed apps, using Trend Micro's industry-leading rules 
feed. Container Security helps developers extend even further to the left with Snyk's open- 
source vulnerability database, offering early detection and mitigation of vulnerabilities in 
open-source code dependencies. With Container Security, DevOps teams are enabled to 
continuously deliver production-ready applications and meet the needs of the business- 
without impacting build cycles. 
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Continuous scanning optimized for DevOps 


Container Security helps DevOps teams adopt frictionless security with immediate, continuous scanning for threats, vulnerabilities, 
secrets, and compliance violations. Container Security also provides dashboard visibility, notifications, and scanning logs for 
compliance assistance. Optimized for leading container platforms, Container Security can be seamlessly integrated into your existing 
toolchain. 


Automate processes with APIs 


Container Security provides complete automated product functionality using a comprehensive catalog of APIs, purposely built 
to integrate into your CI/CD pipeline. Container Security allows application architects and developers to bake security as code 
into their build pipeline for container image and registry scanning. Implementing effective security earlier in the software build 
pipeline helps to achieve consistent results faster in the development cycle and reduces manual security steps and application 
downtime. 


Smart protection 


Container Security reduces disruption of development schedules and workflows with unmatched research and detection of 
threats, as well as non-intrusive security for the Cl/CD pipeline. Container Security eliminates the complexity and volume of 
threats with detection of vulnerabilities, secrets, and zero-day malware using Trend Micro” Smart Protection Network™. 


Compliance-ready protection 


Container Security allows security engineers to meet compliance requirements without impacting productivity and interfering 
in the CI/CD pipeline. What's more, it delivers policy compliance scanning, with customizable policies to meet compliance and 
governance needs. Container Security also offers detailed log history, allowing for easy reporting and auditing. 


Container Security Architecture 
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CONTAINER SECURITY CAPABILITIES 





Advanced image scanning 


When scanning, Container Security unpacks each layer of the 
image and performs detailed scans on the content. Ensure 
issues are fixed early on and filter out false positives by 
correlating patch layers with packages that are vulnerable in the 
same image. Container Security will scan images for: 





+ Malware detection 

+ Vulnerability assessment 

* Secrets, such as private keys and passwords 
* Policy compliance 


* Source-code vulnerabilities , utilizing Snyk detection 


Continuous protection 


Container Security scans can be invoked when images are 
first built and will continually scan in the registry for new 
malware and vulnerabilities in production ready images. 
This ensures your images are secured from the first build 
and remain protected from future unknown threats. What's 
more, you can scan your images across multiple cloud 
environments from a single Container Security deployment. 


Automated pipeline security 

The full functionality of Container Security is available via 
APIs for fully-automated integration with your CI/CD pipeline. 
e Add registries and target repositories with tags for scanning 


e Automatically initiate subsequent image re-scans to check 
against new vulnerabilities when updates are received 





* Invoke scans at any stage of the pipeline using the Container 
Security API 


+ Ensure that only clean images proceed through the pipeline 
and block bad images using image assertion 





* Derive results from Container Security, via webhooks, to 
accommodate specific automated workflows. For example, a 
Docker® image signing service could be written to sign and 
promote images based on scan results 





Enforce compliance 


Container Security provides advanced compliance scanning, 
with customizable policies to ensure you meet both internal and 
external requirements. Container Security scan logs support 
business and audit needs with detailed scan history and results. 
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Console management and access control 


Container Security provides an extensive graphical user 
interface (GUI) management console that includes a scan 
coverage dashboard, scan results, and scan target (view) 
configuration, as well as user and view management for role- 
based access control (RBAC). 


* Content sources: Shows a list of configured registries that are 
being scanned/monitored 


e Active scans: Shows the status of any scan in progress 


* Protection coverage: Shows what portion of the total images in 
a target registry that have been scanned 


* Scan alarms: Shows results that include detections of malware, 
vulnerabilities, and secrets 


Scanned image details 


Container Security provides DevOps with security details and 
output, allowing for immediate response to any issues. 


e List of image layers that have been scanned 
+ Malware flag, including file name and location 


* Content findings, including secrets or indicators of compromise 
(IOCs) 








e Vulnerability details, including: 


+ The number of common vulnerabilities and exposures 
(CVEs) by L/M/H CVSS rating 





* Layer and package information for each CVE 


* CVE and link to CVE file 





* Fix/patch version 


World-class threat feed 


Container Security receives up-to-date threat feeds from both 
private Trend Micro sources and public sources for scanning 
performance. 


™ 


* Provided by Trend Micro via the Trend Micro™ Smart Protection 
Network™ infrastructure for malware detection 


* Machine learning algorithms to detect zero-day threats 





WORKLOAD SECURITY COMPLEMENTS CONTAINER SECURITY : System requirements: 
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Protection across the container life cycle 
For more information visit 
trendmicro.com/containersecurity 





Complementing Container Security image scanning capabilities, Workload Security 
provides advanced protection for runtime containers, with real-time malware protection, 
container vulnerability shielding, container traffic inspection, as well as protection for 
your container host, Kubernetes® layers, and more. 





CONTAINER SECURITY ARCHITECTURE 


Installation 





Container Security is supported on the Kubernetes platform within a Kubernetes cluster. 
e Public: https://github.com/deep-security/smartcheck-helm 
Container Security users are given access to a shell script and a suite of Kubernetes 


resources in the Container Security GitHub® repository. The images that comprise the 
application are available in Docker Hub. 














DEPLOYMENT AND INTEGRATION : Container Security includes an adminis- 

: trator console that provides: 
Container Security provides a valuable step in your CI/CD pipeline. :* A dashboard (system-wide summary of scan 
It scans your container images and your preferred registry, such as Docker. All Container : information, Including metrics) 
Security operations are available through a documented collection of APIs to simplify : * A view summary (including scan results and 
integration into your CI/CD pipeline. Its APIs can be invoked automatically by your CI/CD ; metrics for the view) 
system to start scans when an image is pushed to a private Docker registry, for example. 

e User managemen 


Scan results are also available through the API. 


The Container Security API includes a webhook facility that allows CI/CD components to * Registry and view configuration 


register. This lets you to receive notifications of scan events, such as “scan completed” a Access to scan results 
giving you the ability to automate workflows. 








Scan history 





Page 4 of 5 » DATASHEET + TREND MICRO CLOUD ONE™ - CONTAINER SECURITY 


BUILD SECURE. SHIP FAST. RUN ANYWHERE. 


Ready on: 





W. Kubernetes and Docker: Container Security deploys as a helm chart for easy installation within a Kubernetes cluster, and 
kubernetes provides advanced build-time, as well as registry image scanning for malware, vulnerabilities, secrets, and policy compliance. 
Workload Security will provide additional protection for containers at runtime, as well as monitor for changes in container 
platforms, orchestration tools, files, and processes, ensuring full protection across the container life cycle. 
ED docker 





aws Amazon Web Services (AWS): Container Security deploys to Amazon Elastic Container Service for Kubernetes (EKS) for 
J container image scanning, and with the addition of Workload Security, you get runtime container and Amazon Machine 
— Image (AMI) workload protection across your AWS environment. 





A Microsoft® Azure™: Container Security deploys to Azure Kubernetes Service (AKS) for container image scanning, with 
A Azure additional runtime container and Azure virtual machine (VM) protection available through Workload Security. 





Google Cloud™: Deploy Container Security to your Google Kubernetes Engine (GKE) for build pipeline image scanning, with 
O Google Cloud additional runtime container and VM instance protection available through Workload Security. Deploy Container Security 
in GKE to provision scanning across multiple cloud environments. 








Red Hat® OpenShift: Container Security can be deployed into your OpenShift environments and secure your 
RED HAT’ Eo. f j f AOPE : f 
G OPENSHIFT.io applications with advanced scanning during the software build pipeline. Runtime containers can be secured through 
Container Security (on supported hosts) to ensure full life cycle container protection. 





VMware® Cloud™: Workload Security's strong integration across VMware® services ensures consistent protection across 
vmware’ your virtual and cloud-based workloads, including containers, with broad platform and kernel support, automated policy 
management, and hypervisor-based security. 


File Storage Security is part of Trend Micro Cloud One™, a security services platform for organizations building in the cloud, 
which also includes: 


* Trend Micro Cloud One" - Workload Security: Runtime protection for workloads (virtual, physical, cloud, and containers) 





* Trend Micro Cloud One’ - File Storage Security: Security for cloud file and object storage services 





e Trend Micro Cloud One" - Application Security: Security for serverless functions, APIs, and applications 





* Trend Micro Cloud One™- Network Security: Cloud network layer IPS security 





* Trend Micro Cloud One" - Conformity: Cloud security and compliance posture management 





*Trend Micro's container security offering integrates with Snyk and includes both Deep Security” Smart Check" - Container Image 
Security and Trend Micro Cloud One” - Container Security. 
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